Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp1331472lqh; Mon, 6 May 2024 04:49:34 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV4BZOhHS+SiLRH3u4KrQbCZi8A2GEZd/ggRJpPLokPqtIG9U+/YqmN13qO6XE8uqF5I8gOznaplW6vTfPskvaV92Szy7rejMQd9GE5OQ== X-Google-Smtp-Source: AGHT+IF2F17DNUj7EnoEIdpOcJze/giETghxpisdwszl1b+hakid/Yyz++soq8sVedAM/XeYSLjI X-Received: by 2002:a17:90a:1307:b0:2ab:9819:64bc with SMTP id h7-20020a17090a130700b002ab981964bcmr7490472pja.32.1714996174349; Mon, 06 May 2024 04:49:34 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714996174; cv=pass; d=google.com; s=arc-20160816; b=jOxgXrxd3VYe8sVWCCNMAiJoizzXfQq1uC7uqoOkYjWVUfeHph60EYCilUTeCOaT3g K66w48ovCW2/CU6v8VV6FeXx9RUcAhT4baXkXoHvSj5s150d8/skZ640PIkMRb2tK1ae ZLRcB347fCJ5aFGSfQ8Ngee4xcZQTdOBSppT2JzuE/H3Y+Pb4MQlfvAoqUCP3xBVA/vj 9yP+VwYrT7HxdBZYNL54E8bjrjmMiQj4QyKLKjyWHCGHDb/XDAUUpVtwjIaZ68yjSHeh Czkp2bTCIK4nyurDSA5Be4ZV3jxRSKrynmwZcPIpV3d2GfYrzCrzcHMWBsAy3A7cB3Wq TW9g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:to:subject:from:cc:content-language :user-agent:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:date:message-id:dkim-signature; bh=UVOjuGHnijX2tGdsGbh2K5EBK8PBebK05w8A7S2lTKk=; fh=xZUq6ClVrZ8G2sOIRJDkXJQ3+2eoD14YdltmoaRQ00s=; b=sRfrmslvK0fKfWnqo7R+tljJvNJyce5LZ1T3zdv5/P3pAnwf8TLTvm1SWwC9gobzAG 1W/9wAYbWXf5HXqEwTB6c6nIKtsUa6grJ8HKyXOXCZ8PwCzPU6Ir9Wv/CO2d3iGBMuTP ZFo9NuCFSCrBsYPSQbd4LUf5doZJf8QEgleNf6ItyqJJ6LqudbuCPGUNYWQAqgrQYUcK DJjeloMlJfWaFr9avgrOOaK38fJHsxP/rlOCyvw9fvNzA1P+Z1OIj/wmCSg+Qmmowpfx fdGcVnQXQewUrKF7vK7A5wdivMLIBdR5xaYPuW7JS+NRScpLArUfyPNMv5utrRDkNpEQ 0Lnw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CTqMJ2j2; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-169756-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169756-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id u21-20020a17090abb1500b002b1a587f549si7907995pjr.128.2024.05.06.04.49.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 May 2024 04:49:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-169756-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CTqMJ2j2; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-169756-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169756-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 02ADE283143 for ; Mon, 6 May 2024 11:49:34 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 88555143875; Mon, 6 May 2024 11:49:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="CTqMJ2j2" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B595142E8F for ; Mon, 6 May 2024 11:49:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714996164; cv=none; b=PeQeEqqyh7Kjo8vDbapjHWT8Psexv3rZxdI9+wXzddUMytzO6Al1MmmsQlb7NT3/shAMfw5zqBs9biVgl0jJpwl0SNRnCLMs6mBBxzAmSA6BZTwF+NY+ShCGzitbPGMWrAlDt4VfrcUDcqaiwLWLyAUuRfyD9r9ZMQRwOcroaiI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714996164; c=relaxed/simple; bh=dMc0/sjIPX+UuUh0qQzR0/ivpU5f1U0fp43I0bJLaik=; h=Message-ID:Date:MIME-Version:Cc:From:Subject:To:Content-Type; b=QRyxHXKJz29BOMk9wI7CpCUu9GJeQ5RygoNfZLAzKcrtFc5m0h38HUbA/Y19pgdES3HxzZf40+zw5OyfWOlSEXRnBYLMfosSr1pJ4dfZH0LujdGoYUKC8D+jpVDV3v2e/nwGVqo4TG/ZWT1swBYzG9baTBnuPBPm7Paa84KnQCU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=CTqMJ2j2; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1714996161; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UVOjuGHnijX2tGdsGbh2K5EBK8PBebK05w8A7S2lTKk=; b=CTqMJ2j2DuU9SFrWE5mFAdc4PBEE2PYiyXsEWhslroNhl05SICZwlW19V9C9hcQcJedC1+ k5KzYqZ6wW7CdjwbldWReqE+Jm4rQ7Vnu/2Xf9SHTiPU+vfqi/ChMsbB/j4tXxS2MHbktg +dGIxuY0I1LNfov0K+37XJw9FYVKgRU= Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com [209.85.218.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-680-6h8sbDrSOcuZPfc-AIFEZg-1; Mon, 06 May 2024 07:49:20 -0400 X-MC-Unique: 6h8sbDrSOcuZPfc-AIFEZg-1 Received: by mail-ej1-f70.google.com with SMTP id a640c23a62f3a-a592c35ac06so192186066b.0 for ; Mon, 06 May 2024 04:49:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714996159; x=1715600959; h=content-transfer-encoding:to:subject:from:cc:content-language :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=UVOjuGHnijX2tGdsGbh2K5EBK8PBebK05w8A7S2lTKk=; b=vv5WYGXuLR4DdBoVgUcL8RIZ25kcX2LFdEhgP0n+E/3Obhq1foBlkVj/KxxoDo1ROM +DDYaaQkL9VqCdvISCkcNifX2TVNdUo3qMmfqNTloiw+JcbXsQDHPpUrNIAvq4mD3ni3 /Lx1TD3Rjm9f9Fb1/ot6rgCkJs3JiRkVle4COqYUaU/mLMxYRPjqCeyexxyZhKqVUepD xLS9wdpOlWgEWNnvuygCSOSG7ld8+sVsCpzFQHnAvNpEUK5AuxtrYHzL/saRNvT9+qQv 9WnihTr1ii4tTnhpa1JFAlP+eyjbFYNjL98vIucjkImDNcTMLkaXvNiSvgozUhZdmMgP YC9g== X-Forwarded-Encrypted: i=1; AJvYcCURZzSME/GJ5JS62MiXhq79Dyd+0a5zKlPG0wRFqClw/lgdAC9hRBx41OUQw9cVBf9CXHGmtmYLyqu7daBOAggXkVxpGdAPO1hiqxGx X-Gm-Message-State: AOJu0YzzsMg4IgmxeIu1AJTIJu4O44hcVRWdu2lMOjQoMvYbpflyjher E8i+cQ1oMKw+XbBLN2JiLZ+9OHp+ZVURy4WHOoZbVt6qSkcr+W+32LvCIx7+tHW91EyjRAKWgo7 STtfkwDTfjrnF4ysBJhgQfr5+kBkzRXM3RHBnXXLKI0YY4LkEPRdUMUVRgS6b9A== X-Received: by 2002:a17:906:f59d:b0:a59:aa7a:3b16 with SMTP id cm29-20020a170906f59d00b00a59aa7a3b16mr5438599ejd.4.1714996159627; Mon, 06 May 2024 04:49:19 -0700 (PDT) X-Received: by 2002:a17:906:f59d:b0:a59:aa7a:3b16 with SMTP id cm29-20020a170906f59d00b00a59aa7a3b16mr5438572ejd.4.1714996159209; Mon, 06 May 2024 04:49:19 -0700 (PDT) Received: from [10.40.98.157] ([78.108.130.194]) by smtp.gmail.com with ESMTPSA id ze15-20020a170906ef8f00b00a59ae3efb03sm2667510ejb.3.2024.05.06.04.49.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 06 May 2024 04:49:18 -0700 (PDT) Message-ID: Date: Mon, 6 May 2024 13:49:17 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US Cc: Lennart Poettering , Robert Mader , Sebastien Bacher , Linux Media Mailing List , "dri-devel@lists.freedesktop.org" , linaro-mm-sig@lists.linaro.org, Linux Kernel Mailing List , Bryan O'Donoghue , Milan Zamazal , Maxime Ripard , Andrey Konovalov From: Hans de Goede Subject: Safety of opening up /dev/dma_heap/* to physically present users (udev uaccess tag) ? To: Sumit Semwal , Benjamin Gaignard , Brian Starkey , John Stultz , "T.J. Mercier" , =?UTF-8?Q?Christian_K=C3=B6nig?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hi dma-buf maintainers, et.al., Various people have been working on making complex/MIPI cameras work OOTB with mainline Linux kernels and an opensource userspace stack. The generic solution adds a software ISP (for Debayering and 3A) to libcamera. Libcamera's API guarantees that buffers handed to applications using it are dma-bufs so that these can be passed to e.g. a video encoder. In order to meet this API guarantee the libcamera software ISP allocates dma-bufs from userspace through one of the /dev/dma_heap/* heaps. For the Fedora COPR repo for the PoC of this: https://hansdegoede.dreamwidth.org/28153.html I have added a simple udev rule to give physically present users access to the dma_heap-s: KERNEL=="system", SUBSYSTEM=="dma_heap", TAG+="uaccess" (and on Rasperry Pi devices any users in the video group get access) This was just a quick fix for the PoC. Now that we are ready to move out of the PoC phase and start actually integrating this into distributions the question becomes if this is an acceptable solution; or if we need some other way to deal with this ? Specifically the question is if this will have any negative security implications? I can certainly see this being used to do some sort of denial of service attack on the system (1). This is especially true for the cma heap which generally speaking is a limited resource. But devices tagged for uaccess are only opened up to users who are physcially present behind the machine and those can just hit the powerbutton, so I don't believe that any *on purpose* DOS is part of the thread model. Any accidental DOS would be a userspace stack bug. Do you foresee any other negative security implications from allowing physically present non root users to create (u)dma-bufs ? Regards, Hans 1) There are some limits in drivers/dma-buf/udmabuf.c and distributions could narrow these.